305N/ACopyright (C) 2000 Internet Software Consortium.
305N/AThis document summarizes the state of the DNSSEC implementation in
305N/AKey Generation and Signing
305N/AThe tools for generating DNSSEC keys and signatures are now in the
305N/AThe random data used in generating DNSSEC keys and signatures comes from
5680N/AWhen acting as an authoritative name server, BIND9 includes KEY, SIG
305N/Aand NXT records in responses as specified in RFC2535.
305N/AResponse generation for wildcard records in secure zones is not fully
305N/Asupported. Responses indicating the nonexistence of a name include a
305N/ANXT record proving the nonexistence of the name itself, but do not
2912N/Ainclude any NXT records to prove the nonexistence of a matching
5854N/Awildcard record. Positive responses resulting from wildcard expansion
586N/Ado not include the NXT records to prove the nonexistence of a
618N/Anon-wildcard match or a more specific wildcard match.
305N/ABasic support for validation of DNSSEC signatures in responses has
4949N/Abeen implemented but should still be considered experimental.
305N/AWhen acting as a caching name server, BIND9 is capable of performing
305N/Abasic DNSSEC validation of positive as well as nonexistence responses.
305N/AThis functionality is enabled by including a "trusted-keys" clause
1765N/Ain the configuration file, containing the top-level zone key of the
844N/AValidation of wildcard responses is not currently supported. In
1765N/Aparticular, a "name does not exist" response will validate
305N/Asuccessfully even if it does not contain the NXT records to prove the
2899N/Anonexistence of a matching wildcard.
6010N/AProof of insecure status for insecure zones delegated from secure
6010N/Azones works when the zones are completely insecure. Privately
6010N/Asecured zones delegated from secure zones will not work in all cases,
6010N/Asuch as when the privately secured zone is served by the same server
6010N/Aas an ancestor (but not parent) zone.
6010N/AHandling of the CD bit in queries is now fully implemented. Validation
6010N/Ais not attempted for recursive queries if CD is set.
305N/ADynamic update of secure zones has been implemented, but may not be
305N/Acomplete. Affected NXT and SIG records are updated by the server when
5970N/Aan update occurs. Advanced access control is possible using the
5970N/A"update-policy" statement in the zone definition.
5680N/APerformance of Cryptographic Operations
5704N/AThe cryptographic primitives used by the BIND 9 DNSSEC implementation
5704N/Aare based on the OpenSSL library. A version of that library is
5969N/Aintegrated into the distribution, but for portability reasons this
5969N/Aversion does not make use of any platform-specific assembly language
1794N/AOn many platforms, particularly i386 and SPARC, a significant
305N/Aimprovement in signing and verification speed can be achieved linking
305N/ABIND 9 with a separate OpenSSL library that uses hand-optimized
5680N/Aassembly language routines. To do this, you need to install OpenSSL
5969N/Aversion 0.9.5a or newer separately from the BIND 9 tree prior to
305N/Abuilding BIND 9, using the default openssl configuration settings
305N/Awhich will cause it to be built with assembly language routines. Then
305N/Aspecifying the "--with-openssl" option to the BIND 9 configure script
305N/Ato make BIND 9 link against the system openssl library rather than its
305N/A$Id: dnssec,v 1.9 2000/08/09 04:37:39 tale Exp $